reform, reddit-style —

Reddit review puts some teeth into “Aaron’s Law”

Bill would change computer fraud law to prevent a Swartz-like prosecution.

Shortly after the suicide of Internet entrepreneur and activist Aaron Swartz, Silicon Valley lawmaker Zoe Lofgren proposed "Aaron's Law." The bill aims to reform the Computer Fraud and Abuse Act (CFAA), the law under which Swartz was prosecuted for mass-downloading academic documents from MIT's network. Swartz's family has blamed the government prosecution for contributing to his death.

Lofgren submitted a draft of the bill to be reviewed on reddit. After its online critique, a revised version of the bill was published today, with more far-reaching reforms.

The CFAA forbids "unauthorized access" to computer networks, and the older version of Lofgren's reform bill would have simply changed the wording of the law so that nobody could be prosecuted under CFAA if all they had done is violate terms of service.

But CFAA prosecutions, including the one against Aaron Swartz, often involve something more serious than mere TOS violations.

The new version defines unauthorized access as "the circumvention of technological access barriers," which leaves a much narrower scope for prosecution. It also specifies that changing one's MAC or IP address does not violate CFAA or the wire fraud statute. It's pretty clear that Swartz, who was authorized to be on the MIT network, wouldn't be prosecutable under the new law.

Other recent CFAA prosecutions, like the one against Internet troll "weev," might not have been possible under the revised law, either. Weev arguably didn't "circumvent one or more technological measures that exclude or prevent unauthorized individuals from obtaining or altering that information," which is what is required under the language of the revised bill [PDF].

The bill could be introduced as early as next week, when the House is back in session. As Lofgren explained in a reddit discussion, though, it's a long process. First she'll have to urge her colleagues to become "original cosponsors" of the bill and then encourage the Judiciary Committee Chairperson (Rep. Bob Goodlatte of Virginia) to bring the bill up for a hearing or a vote. "Sustain[ing] public support throughout that process is important for the bill to continue advancing," wrote Lofgren.

This is pure stupid. Even with this new law in place, he would have been prosecuted for something else. The proper move would have been reduction in penalties that would require the harmed party to prove the level of damages involved.

The proper solution to dumb laws is reducing the sentence?! Or eliminating them?

It's good to see that Congress is still owned by lobbyists. Although these lobbyists might more properly be labeled as criminals. This succumbing to "change the law we violate or we'll violate it some more and break into your computer systems" form of lobbying is certainly a new twist on common organized crime thuggery, but it's still just thuggery.

The subtle "aw shucks, Aaron as authorized to be on the MIT network so what's the big deal" continues Ars' lack of integrity in reporting on this story. Aaron was NOT authorized to enter the network closet he placed the laptop in, and he was NOT authorized to leave the machine in the network closet STEALING the data he STOLE. What part of HE STOLE THE DATA is hard for you to understand? Whether YOU think it was data that should be fully in the public domain is utterly irrelevant on REPORTING. REPORT the facts, editorialize in an editorial column. Don't mix the two.

It is astounding to me that people are actually applauding criminals threatening us to get laws changed to make their actions no longer a crime. I mean, shucks, all Bernie Madoff did was steal a lot of money. I mean, we're all about redistribution of wealth now, right? He was just ahead of the curve. He stole from a lot of people so not very many were actually harmed, and it's just money, right? Who says you should get to own the money you work hard for? Let's change the fraud laws so that what he did wasn't a crime! He's a hero to all the scumbags in the world who appreciated his enterprising and ingenious methods of stealing.

Many criminals are geniuses. That doesn't mean when they are too cowardly to take responsibility for their actions that we de-criminalize their behavior. Grow up, people.

Punishing changing IP and MAC address is impossible to enforce, just using a VM with NAT connection has your machine would make you guilty.

Every time I read this argument I want to eat my hat. This is such a straw man it gives me a hunger to eat my clothing.

I think you are midunderstanding the argument. They are specifically and exclusively discussing the matter of making MAC address changing, absent of absolutely any other action, illegal. Clearly if a change to MAC was made to circumvent an access control mechanism, it would be illegal under the proposed new law. Currently, it would be illegal even if you did NOT use it to circumvent anything or access anything you are not already permitted to access.

As you said, changing your MAC should not be illegal in and of itself. However, that is what Titanium Dragon was defending, using the justification that sometimes it us used in attacks therefore it should be unilaterally illegal.

Punishing changing IP and MAC address is impossible to enforce, just using a VM with NAT connection has your machine would make you guilty.

Every time I read this argument I want to eat my hat. This is such a straw man it gives me a hunger to eat my clothing.

Just because something is technically possible in one environment does not make the act in every environment legal. It's well documented that Aaron wasn't running a VM and that his MAC address changing was in fact to regain access after MIT attempted to block his access. I don't understand what's so difficult about this. Has no one run a DHCP server and had to either white or black list machines before? Has no one ever had to setup reservations before on their home router?

Yes, I get it - MAC addresses are not unique identifiers anymore. Yes, they should not be used for security. Yes, it shouldn't be illegal to change your MAC address.

But will everyone please stop telling me that just because dynamic MAC addressing exists in virtual environments means that all MAC address changing is 100% benign because you just have your head in the stand on how a lot of current systems handle such access.

Changing a MAC address should not be illegal for anything EVER! If they wanted him out they should have used a system that WAS NOT OPEN. The very reason it should not be is clearly obvious and the reason we're in this mess. You have a corrupt U.S. Attorney like Carmen Ortiz who used the law to fit her needs and made a case that was completely ridiculous. FFS Child molesters get less time than the max that Aaron was facing. She should be fired, fined, and arrested for this bullshit that had no place going far as it did. It had zero place in the courts plain and simple and the abuse of power she has demonstrated is far worse than anything Aaron has done.

The subtle "aw shucks, Aaron as authorized to be on the MIT network so what's the big deal" continues Ars' lack of integrity in reporting on this story. Aaron was NOT authorized to enter the network closet he placed the laptop in, and he was NOT authorized to leave the machine in the network closet STEALING the data he STOLE. What part of HE STOLE THE DATA is hard for you to understand? Whether YOU think it was data that should be fully in the public domain is utterly irrelevant on REPORTING. REPORT the facts, editorialize in an editorial column. Don't mix the two.

Then let's shift the argument from "authorized to access" to "was what he did 'stealing' in any real sense of the word?" There's a reasonable argument for downloading music/movies/games/etc. as "stealing" since those items are sold individually, but MIT pays databases a ludicrous amount of money for blanket access to the database. It's quite possible - and completely legal - for an individual from MIT to manually access and download thousands upon thousands of articles and save them to their computer, legally, because that's permitted under that contract. It just takes a lot longer to do it manually.

In other words, what Aaron really did, with respect to the articles in question, was develop and use a computer program that significantly sped up the process of finding and downloading articles. Downloading articles is a completely legitimate use of the database - he just did it at a faster pace than the network and the database were comfortable with. Hell, if he had ensured that the program pulled articles slowly enough, he wouldn't have "damaged" MIT at all because you couldn't even make a network load claim and JSTOR probably wouldn't have noticed a thing (and has no grounds to claim damages for a legitimate use of their database).

So you can claim that his access to some extent was unauthorized, particularly after MIT restricted his access, but that's really all he did that was wrong outside of violating TOS. Downloading articles to a computer individually is not "stealing," so why on earth is downloading articles TOO QUICKLY called "stealing?"*

* - Now if those articles were released publicly, then THAT action could be considered a form of theft since people wouldn't need to pay to access pretty much the entire backlog of JSTOR. But this is true for user-downloaded articles as well - disseminating those widely is technically on the wrong side of the law, since the contract with MIT would strictly prohibit the distribution of downloaded content. That is where things would have crossed the line, but it's ludicrous to assume that's what he would have done to justify the charges - you can't prosecute somebody for something that they never did, unless you can prove intent so clearly that it goes beyond a "reasonable doubt." Not to mention that the "intent to" argument only flies with drugs and murder.

Changing a MAC address should not be illegal for anything EVER! If they wanted him out they should have used a system that WAS NOT OPEN. The very reason it should not be is clearly obvious and the reason we're in this mess. You have a corrupt U.S. Attorney like Carmen Ortiz who used the law to fit her needs and made a case that was completely ridiculous. FFS Child molesters get less time than the max that Aaron was facing. She should be fired, fined, and arrested for this bullshit that had no place going far as it did. It had zero place in the courts plain and simple and the abuse of power she has demonstrated is far worse than anything Aaron has done.

MIT designed their system to be relatively accessible for the benefit of their staff, faculty, students, research collaborators, and guests. For sure they could've had the system as locked down as a DoD SIPRnet, but that would've been counterproductive for their users. Aaron Swartz abused the privileges he was given as a guest on their network to carry out his agenda and MIT paid by having access JSTOR cut off. Apparently, no good deed goes unpunished.

They should just put a 5 year cap on prison sentences because anyone who needs to be out of society for more than 5 years probably needs to be in a psych hospital.

Crazy laws that require putting someone away for life are just ways to hide having to fix social problems.

I'm going to shatter your reality.

Some people who do things? There's nothing actually wrong with them. In fact, this is actually true of MOST people who commit crimes. Mental illness is not actually terribly common amongst people who commit crimes - most people who commit crimes are NOT mentally abnormal. A bit dumber than the rest of the population is just about the only real trend there is.

Quote:

I think you are midunderstanding the argument. They are specifically and exclusively discussing the matter of making MAC address changing, absent of absolutely any other action, illegal. Clearly if a change to MAC was made to circumvent an access control mechanism, it would be illegal under the proposed new law. Currently, it would be illegal even if you did NOT use it to circumvent anything or access anything you are not already permitted to access.

As you said, changing your MAC should not be illegal in and of itself. However, that is what Titanium Dragon was defending, using the justification that sometimes it us used in attacks therefore it should be unilaterally illegal.

I never said any such thing, and changing your MAC and IP address is not illegal unless you're doing it for illegal reasons - such as trying to access a computer system that you are not allowed to access.

Are you illiterate or a terrorist, trying to scare people?

lXilEl wrote:

Changing a MAC address should not be illegal for anything EVER! If they wanted him out they should have used a system that WAS NOT OPEN. The very reason it should not be is clearly obvious and the reason we're in this mess. You have a corrupt U.S. Attorney like Carmen Ortiz who used the law to fit her needs and made a case that was completely ridiculous. FFS Child molesters get less time than the max that Aaron was facing. She should be fired, fined, and arrested for this bullshit that had no place going far as it did. It had zero place in the courts plain and simple and the abuse of power she has demonstrated is far worse than anything Aaron has done.

Please join Aaron in taking a swing.

You are not allowed to enter a house that isn't yours without permission, even if there aren't locks on the doors.

Its illegal to do anything to gain unauthorized access to a computer system. You have no right to gain unauthorized access to a computer system, and the owners of the system DO have the right to deny you access. If you evade a ban to get onto a network, then you have no right to get on that network.

Open networks exist as a convenience. If you have no ability to moderate your open network, then you'll have criminals like Aaron abusing them freely.

The maximum sentence is utterly irrelevant in this case because he was not facing anywhere near the maximum sentence.

Only a liar or a sucker says that he was.

So which is it - are you dangerously ignorant and fanatical to the point where you are not in touch with reality, or are you lying to advance your own political agenda?

There are zero other possibilities in this case, at this point. It is inexcusable. So pick one.

Hellheart wrote:

Then let's shift the argument from "authorized to access" to "was what he did 'stealing' in any real sense of the word?" There's a reasonable argument for downloading music/movies/games/etc. as "stealing" since those items are sold individually, but MIT pays databases a ludicrous amount of money for blanket access to the database. It's quite possible - and completely legal - for an individual from MIT to manually access and download thousands upon thousands of articles and save them to their computer, legally, because that's permitted under that contract. It just takes a lot longer to do it manually.

There have been upteen articles on this matter. You are commenting in the thread. Please at least try to gain some understanding of what you're talking about before you comment.

Aaron was not charged with stealing. He was charged with wire fraud, unauthorized access, and reckless damage to the system he was attacking. The crime he committed was breaking into the system repeatedly by bypassing bans.

Doing this is illegal for obvious reasons. Breaking into private property is illegal. This is the cyber equivalent, and he did it repeatedly, costing MIT five figures fighting off his assaults on the network.

There are no "stealing" charges. The only people who say that there were are insane fanatics. You should not listen to any of them, because they are all liars.

They should just put a 5 year cap on prison sentences because anyone who needs to be out of society for more than 5 years probably needs to be in a psych hospital.

Crazy laws that require putting someone away for life are just ways to hide having to fix social problems.

I'm going to shatter your reality.

Some people who do things? There's nothing actually wrong with them. In fact, this is actually true of MOST people who commit crimes. Mental illness is not actually terribly common amongst people who commit crimes - most people who commit crimes are NOT mentally abnormal. A bit dumber than the rest of the population is just about the only real trend there is.

I never said people who commit crimes typically have mental illness.

All I was stating is that if someone is THAT dangerous to society that we need to pay $60k/year to keep them locked away in prison for the next 50 years, that person probably has other issues because the only people that dangerous are mass murderers.

Prison is supposed to be a "correctional facility", and I fail to see how putting someone away for 50 years is anything but retribution, not justice.

Either the prison needs to fix them in a reasonable amount of time or a psych hospital needs to monitor and help someone with long term anti-social behavior issues, but shoving them into a prison where those anti-social behaviors are reinforced helps no one.

They should just put a 5 year cap on prison sentences because anyone who needs to be out of society for more than 5 years probably needs to be in a psych hospital.

Crazy laws that require putting someone away for life are just ways to hide having to fix social problems.

I'm going to shatter your reality.

Some people who do things? There's nothing actually wrong with them. In fact, this is actually true of MOST people who commit crimes. Mental illness is not actually terribly common amongst people who commit crimes - most people who commit crimes are NOT mentally abnormal. A bit dumber than the rest of the population is just about the only real trend there is.

I never said people who commit crimes typically have mental illness.

All I was stating is that if someone is THAT dangerous to society that we need to pay $60k/year to keep them locked away in prison for the next 50 years, that person probably has other issues because the only people that dangerous are mass murderers.

Prison is supposed to be a "correctional facility", and I fail to see how putting someone away for 50 years is anything but retribution, not justice.

Either the prison needs to fix them in a reasonable amount of time or a psych hospital needs to monitor and help someone with long term anti-social behavior issues, but shoving them into a prison where those anti-social behaviors are reinforced helps no one.

Except its simply not true. Is Manson crazy? Yes. But is he treatable? No. There isn't anything wrong with him in the medical sense - its pretty obvious from the way that he behaves that he is well aware of how he acts and how he comes off, and he -likes it-. You can't release Manson back into society. Ever.

The same is true of many people. If you murder someone else, very often there is something seriously wrong with you that isn't psychological in nature - it is the choices that you make that are driving you to this behavior. Most people who commit murder -aren't- mentally ill. They just care that little about whoever they killed, and oftentimes about people in general. The same is true of many crimes.

If you don't care about other people, no amount of treatment is going to fix you. I DO believe in rehabilitating criminals, but I also understand the reality that many people are there because of the choices they made, and they will reoffend again if they get out.

The new version defines unauthorized access as "the circumvention of technological access barriers," which leaves a much narrower scope for prosecution.

That is just asinine. You don't have to circumvent anything and it will and should be considered "unauthorized".

There is obviously a disconnect in what should be considered "authorized" access. In my opinion, and in my experience, authorization to access a network is expressed, not implied. Even though a network may be open, or have easily circumventable barriers, accessing it without the permission of the owner of that network can still be considered as unauthorized unless expressly stated. An open door does not mean you have the right (or permission) to walk in.

* - Now if those articles were released publicly, then THAT action could be considered a form of theft since people wouldn't need to pay to access pretty much the entire backlog of JSTOR. But this is true for user-downloaded articles as well - disseminating those widely is technically on the wrong side of the law, since the contract with MIT would strictly prohibit the distribution of downloaded content. That is where things would have crossed the line, but it's ludicrous to assume that's what he would have done to justify the charges - you can't prosecute somebody for something that they never did, unless you can prove intent so clearly that it goes beyond a "reasonable doubt." Not to mention that the "intent to" argument only flies with drugs and murder.

I didn't say one word about his intent to do anything with the articles after he TOOK THEM. If someone comes into my house and takes my TV, just because they don't sell it doesn't make it not a theft. What they intend to do with it is irrelevant; what the did to obtain it IS THE CRIME. He took that which he was not authorized to take in a manner in which he was not authorized to take it.

Let's assume as you do that he is actually authorized to take every one of the documents he took (this is questionable). The manner in which he did it is criminal activity. For instance, if I break into a bank and take money out of the vault, even if I only take money equal to my deposits in that bank, guess what? I'm a bank robber. I had every right to the money I deposited, but not to take it in the manner in which I did. The context of taking something is absolutely relevant, especially as we deal with digital crime!

Of course, one other key piece of information everyone seems to conveniently ignore is that the prosecutors in the case never threatened to go after the max sentence; they were in fact offering a plea down to a much lesser sentence.

It's a loss of a bright mind. A bright, criminal mind. Perhaps if he'd spent more time creating and less time trying to prove how morally superior he was to the rest of the universe, he wouldn't have collapsed into the wormhole of his own ego and ended his life early.

I never said any such thing, and changing your MAC and IP address is not illegal unless you're doing it for illegal reasons - such as trying to access a computer system that you are not allowed to access.

Are you illiterate or a terrorist, trying to scare people?

What are you arguing about is making pulling act of pulling a gun trigger to be illegal if you shoot someone, on top of accusation what would come from such act.

Law need to be binary, not circumstantial, circumstance are for the sentence. Has law that are not binary, can quickly degenerate through interpretation and are hard to enforce correctly. Also Law that are not enforced simply become deprecated, thus becoming hard to socially justify it application the day someone decide to randomly enforce it.

Let's take Danish flag for example, if I am caught burning the Dannegrog on a pire outside, should I be guilty of burning a flag or not, if flag burning is illegal, has burning it is actually the only proper way to dispose of it. (there some more element then just simply burning it, but keeping to the general jest of it)

If you ask me in a good justice system, where burning a flag is illegal, would find you guilty, but enforce no punishment beyond a warning and possibly a compromised solution, if you happen to have to get rid of multiple worn Dannebrog.

By making laws binary, you open them up to all kinds criminal activity being done to circumvent the exact specifics of a law. You would end up with a scenario where committing an act using one method is illegal, while committing that act using a different method is merely unethical. This is how tax cheats and athletes who use PED's get away without being punished.

I didn't say one word about his intent to do anything with the articles after he TOOK THEM. If someone comes into my house and takes my TV, just because they don't sell it doesn't make it not a theft. What they intend to do with it is irrelevant; what the did to obtain it IS THE CRIME. He took that which he was not authorized to take in a manner in which he was not authorized to take it.

Except he was authorized to take every single document he obtained. He was not authorized to take them in the manner he did under the ToS, though, and probably broke MIT's AUP. It's questionable to enforce those in a civil case, let alone a criminal one.

Quote:

Let's assume as you do that he is actually authorized to take every one of the documents he took (this is questionable). The manner in which he did it is criminal activity. For instance, if I break into a bank and take money out of the vault, even if I only take money equal to my deposits in that bank, guess what? I'm a bank robber. I had every right to the money I deposited, but not to take it in the manner in which I did. The context of taking something is absolutely relevant, especially as we deal with digital crime!

Yes, breaking into a broom closet is a criminal activity. One that would at most probably involve a few weekends of community service and a fine of a few hundred bucks. I'm not sure what the hell that has to do with theft, though, which Swartz was not charged with.

Quote:

Of course, one other key piece of information everyone seems to conveniently ignore is that the prosecutors in the case never threatened to go after the max sentence; they were in fact offering a plea down to a much lesser sentence.

A lesser sentence that still exceeds what would have been appropriate for his actions. Also, while the prosecutor didn't go for the maximum, arguing that he could waive a constitutional right for a lesser sentence is a bit disingenuous at the very least. It's a plea bargain, not a plea gift. If he actually chose to defend himself, he would be facing considerably longer than the plea bargain. Last I heard, he was also going to be stuck with felony charges, which do a lot of damage on their own, and were again inappropriate for his actions.

By making laws binary, you open them up to all kinds criminal activity being done to circumvent the exact specifics of a law. You would end up with a scenario where committing an act using one method is illegal, while committing that act using a different method is merely unethical. This is how tax cheats and athletes who use PED's get away without being punished.

Then add an other binary to enforce.

Law with interpretation just become convoluted, and beyond a certain point you start requiring people formed in matter of law just to understand it.

Except he was authorized to take every single document he obtained. He was not authorized to take them in the manner he did under the ToS, though, and probably broke MIT's AUP. It's questionable to enforce those in a civil case, let alone a criminal one.

Tell us, what definition of "authorized" includes someone who admins tried for months to ban from the network, eventually leading MIT to contact the FBI?

By making laws binary, you open them up to all kinds criminal activity being done to circumvent the exact specifics of a law. You would end up with a scenario where committing an act using one method is illegal, while committing that act using a different method is merely unethical. This is how tax cheats and athletes who use PED's get away without being punished.

Then add an other binary to enforce.

Law with interpretation just become convoluted, and beyond a certain point you start requiring people formed in matter of law just to understand it.

And a binary law would become even more convulted with defendands being acquitted based on a "bug" in the law. That would also require people formed in the matter of how it was written to understand it. The result would be a ridiculous cat-and-mouse game of people using means of getting around the law using unanticapted methods the same way a hacker uses a zero-day exploit, with the downside being that we can't patch laws as fast as we can patch software.

Law need to be binary, not circumstantial, circumstance are for the sentence. Has law that are not binary, can quickly degenerate through interpretation and are hard to enforce correctly. Also Law that are not enforced simply become deprecated, thus becoming hard to socially justify it application the day someone decide to randomly enforce it.

No, this is completely unworkable. Laws used to be a lot more binary than they are now, and the results were not pretty. I.e., hanging as the penalty for stealing bread.

We don't need to overcomplicate things, but something just are complicated, and we will cause a huge amount of unnecessary trouble if we oversimplify things. Law is circumstantial because reality is circumstantial.

Examples of bad binary crimes:(1) It is a crime to break and enter

This means that the burglar who breaks into your house commits the same crime as you do when you've locked yourself out. (But you get a lesser penalty? No thanks.)

(2) It is a crime to break and enter someone else's property.

You see smoke coming of the neighbors house and someone tells you that grandma is trapped inside. After breaking in the door and rescuing her, you are arrested.

(3) It is a crime to break and enter someone else's property with the intent to commit a felony while inside.

This is the standard burglary law. It is circumstantial because it has to be: law has to distinguish between different kinds of breaking and entering, and it does so by looking at the reason for breaking and entering.

Most crimes are like this. Look at murder: Killing someone else is murder. But not if it was completely accidental. And not if it was done in self defense, or in war. And it's a lesser crime if you don't intend to kill someone but you act recklessly and someone dies (drunk driving, manslaughter, reckless driving).

Lying is generally not a crime. But it is a crime when you lie under oath, and it's a crime when you issue forged checks or lie with the intent to defraud.

And a binary law would become even more convulted with defendands being acquitted based on a "bug" in the law. That would also require people formed in the matter of how it was written to understand it. The result would be a ridiculous cat-and-mouse game of people using means of getting around the law using unanticapted methods the same way a hacker uses a zero-day exploit, with the downside being that we can't patch laws as fast as we can patch software.

Except that people already do that. They do otherwise illegal things by exploiting technicalities. That's why every couple of years, there will be a new law regarding stocks, the financial industry, or such. Our tax code is riddled with such things, and the financial costs of that in a year likely far exceed the entire value of JSTOR altogether. A law is either going to allow somebody guilty of wrongdoing and/or harm to walk free, or allow somebody innocent to be prosecuted. The question is whether we should err in making the laws too narrow or too broad, and the principles of our justice system say that we should go with narrow. Better to let a hundred guilty men go than one convict on innocent person, Ideally, prosecutors could be trusted with discretion in their use of a large amount of power, so that those working the system can get caught while nobody who should be considered innocent is facing an unreasonable sentence. However, we have parties like Ortiz that abuse that power, and THAT is why we can't have nice things and must, for the good of society, open up a few holes.

By making laws binary, you open them up to all kinds criminal activity being done to circumvent the exact specifics of a law. You would end up with a scenario where committing an act using one method is illegal, while committing that act using a different method is merely unethical. This is how tax cheats and athletes who use PED's get away without being punished.

Then add an other binary to enforce.

Law with interpretation just become convoluted, and beyond a certain point you start requiring people formed in matter of law just to understand it.

And a binary law would become even more convulted with defendands being acquitted based on a "bug" in the law. That would also require people formed in the matter of how it was written to understand it. The result would be a ridiculous cat-and-mouse game of people using means of getting around the law using unanticapted methods the same way a hacker uses a zero-day exploit, with the downside being that we can't patch laws as fast as we can patch software.

That because your trying to make law for the method and not the act.

Method are open to interpretation according to circumstance, thus should be part of the sentencing, not the has proof of guilt.

A good justice system should word in two separated step, first step getting proof of guilt, not a single talk about sentence is made during that step, if found guilty then proceed to sentencing, at which point you can start involving interpretation of the event and possible punishment prescription according to them, which could be none, if the circumstance socially legitimize the act.

Except that people already do that. They do otherwise illegal things by exploiting technicalities. That's why every couple of years, there will be a new law regarding stocks, the financial industry, or such. Our tax code is riddled with such things, and the financial costs of that in a year likely far exceed the entire value of JSTOR altogether. A law is either going to allow somebody guilty of wrongdoing and/or harm to walk free, or allow somebody innocent to be prosecuted. The question is whether we should err in making the laws too narrow or too broad, and the principles of our justice system say that we should go with narrow. Better to let a hundred guilty men go than one convict on innocent person, Ideally, prosecutors could be trusted with discretion in their use of a large amount of power, so that those working the system can get caught while nobody who should be considered innocent is facing an unreasonable sentence. However, we have parties like Ortiz that abuse that power, and THAT is why we can't have nice things and must, for the good of society, open up a few holes.

And by making the laws binary, you open them up to further technical exploitation. New laws regarding stocks, etc. are crafted to plug these loopholes. By broadening the law, you eliminate the succeptability to exploitation, while maintaining the burden of proof necessary to demonstrate that the offender had the intent to violate the law.

Narrowing the law because of how you felt Carmen Ortiz handled this particular case is simply throwing out the baby with the bathwater by having the unintended consequence of handcuffing another prosecutor from doing their job of bringing justice to an offender who truly deserves it.

No, this is completely unworkable. Laws used to be a lot more binary than they are now, and the results were not pretty. I.e., hanging as the penalty for stealing bread.

We don't need to overcomplicate things, but something just are complicated, and we will cause a huge amount of unnecessary trouble if we oversimplify things. Law is circumstantial because reality is circumstantial.

That because your combining the act of guilt with a sentence, law and sentencing should be separated entity.

A trial should work in two step, first simply finding is someone is guilty or not, period, no interpretation, no discussion beyond guilty or not. If you go on actual trial for this part and you are found guilty, then during sentencing section you are open to harsher for trying to hide the act, has you lied in front of the court.

Second step is sentencing, this one you start interpretation of the event and there could be predefined prescribed punishment, which could be no sentence, if socially justifiable act, like stealing food cause you were dying of hunger, has it is an act of self-preservation, self-defense been an other example.

And by making the laws binary, you open them up to further technical exploitation. New laws regarding stocks, etc. are crafted to plug these loopholes. By broadening the law, you eliminate the succeptability to exploitation, while maintaining the burden of proof necessary to demonstrate that the offender had the intent to violate the law.

Narrowing the law because of how you felt Carmen Ortiz handled this particular case is simply throwing out the baby with the bathwater by having the unintended consequence of handcuffing another prosecutor from doing their job of bringing justice to an offender who truly deserves it.

Yes, it will potentially let some nasty criminals go free until the law can cover a specific kind of case . It will also mean that people like Swartz aren't facing felony charges. It's the principal of weight in letting the guilty go free versus convicting the innocent. I acknowledge the problem you bring up and consider it more than worth it. Handcuffing prosecutors isn't a bug, it's a feature.

Also, I'd say that the language changes seem to be mostly changing the law so it won't be used against those who are not doing anything serious and probably aren't the ones expected to be covered by the law. It will make networks without any security measures unable to press charges, but I don't see that as necessarily a bad thing, as it will encourage those with important data to adopt security measures.

Now, if had infallible or nigh infallible prosecutors, broad laws would be okay and we'd get the best bang for our buck. However, broad laws give prosecutors power, and power corrupts.

Yes, it will potentially let some nasty criminals go free until the law can cover a specific kind of case . It will also mean that people like Swartz aren't facing felony charges. It's the principal of weight in letting the guilty go free versus convicting the innocent. I acknowledge the problem you bring up and consider it more than worth it. Handcuffing prosecutors isn't a bug, it's a feature.

Also, I'd say that the language changes seem to be mostly changing the law so it won't be used against those who are not doing anything serious and probably aren't the ones expected to be covered by the law. It will make networks without any security measures unable to press charges, but I don't see that as necessarily a bad thing, as it will encourage those with important data to adopt security measures.

Now, if had infallible or nigh infallible prosecutors, broad laws would be okay and we'd get the best bang for our buck. However, broad laws give prosecutors power, and power corrupts.

Making offenders who commit crimes against unprotected networks immune to prosecution (and other no harm, no foul laws) is stupid. For one thing, that gives offenders free reign to shit on anybody (corporate and personal) who provides network access as a gesture of goodwill. For another, why should we put this burden on the victim? It's punishhment enough that somebody used their network in a malicious manner; your proposal rubs salt in their wounds by providing them with no means of redress against such violators. This is no better than telling a man who was robbed at 3 am that you're not going to go after the person who mugged him because he had no business being on the streets at that time of the night anyway.

I can see that there are a lot of people here who worship at the altar of the 'Holy Swartz'. Funny how many of you despise religiosity and then go and perform actions every bit as religious as those you regularly denigrate. That should be called hypocrisy. Swartz broke the law. He should have been prosecuted more than he was. Yes, an example should have been made of him. Also the Anonymous law-breakers, and Asshinge. Arrogant children, one and all, but it's more important to point out the fact that allowing them to get away with this sort of action only will continue to contribute to anarchy by showing to orhers 'we can usurp the law and take justice into our own hands, and get away with it.'

Making offenders who commit crimes against unprotected networks immune to prosecution (and other no harm, no foul laws) is stupid. For one thing, that gives offenders free reign to shit on anybody (corporate and personal) who provides network access as a gesture of goodwill. For another, why should we put this burden on the victim? It's punishhment enough that somebody used their network in a malicious manner; your proposal rubs salt in their wounds by providing them with no means of redress against such violators.

Even if the CFAA is amended, violating a website's TOS would still be a violation of contract law and plaintiffs would still be entitled to sue. They would still have a means of redress, it just wouldn't involve sending people to prison for years or decades.

That because your combining the act of guilt with a sentence, law and sentencing should be separated entity.

A trial should work in two step, first simply finding is someone is guilty or not, period, no interpretation, no discussion beyond guilty or not. If you go on actual trial for this part and you are found guilty, then during sentencing section you are open to harsher for trying to hide the act, has you lied in front of the court.

Second step is sentencing, this one you start interpretation of the event and there could be predefined prescribed punishment, which could be no sentence, if socially justifiable act, like stealing food cause you were dying of hunger, has it is an act of self-preservation, self-defense been an other example.

I think I see what you're getting at here, but I don't think it would work in anything beyond the pure idealistic stance that you're presenting it. While that separation of action versus intent might work in some of the more common cases (such as aforementioned stealing bread), where a jury of peers and judge would all understand the crime itself and the different possible motives, it would break down on many of the more "modern" crimes having to do with complex and highly specialized areas of knowledge like the financial district, technology, or different sciences.

If you separate crime and motive and rely on a jury of peers (which is a Constitutional right in America--I'm not sure, but I'm guessing you're not American?) to determined both guilt of crime and then subsequently the motive (thereby determining sentencing, which I think is what I'm interpreting your idea to mean), then you will have a large swath of crimes that will still get sentenced incorrectly or unfairly because the crimes and thereby the motives will not be as easily understood by the jury--and possibly judge--than they are now.

I think it's a noble idea, but I do not think it could be implemented in reality in the current day and age. Also, lawyers would never allow it as the laws need to be as complex and unable to be understood as possible so they can assure themselves of always having jobs.

What are you arguing about is making pulling act of pulling a gun trigger to be illegal if you shoot someone, on top of accusation what would come from such act.

No. This is patent nonsense.

Unauthorized access is unauthorized access. You cannot commit this crime "by accident". It has to be purposeful. Changing your IP or MAC address is not illegal, unless you do it in order to gain unauthorized access or otherwise commit wire fraud, just as discharging a firearm is not illegal unless you are being reckless or doing so at another person who is not threatening your life with deadly force.

The crime is not "changing your IP address". The crime is unauthorized access and wire fraud. This can be committed in any number of ways - changing your IP/MAC address to appear as an unbanned user, changing them to appear to be a specific user, having your computer present false security credentials, posing as one person when you are actually another to gain access to a computer system, ect. Unauthorized access is exactly that - bypassing an IP or MAC address ban is an example, but so is running rainbow tables on passwords, using passwords from other sites to get in, exploiting a java vulnerability to give yourself backdoor access, ect.

I'm not sure what part of this is difficult for you to understand.

The crime is not changing the IP address. The crime is unauthorized access. Just as there is no crime "murder with a gun" - its just murder.

Laws are intentionally written broadly for exactly these reasons. It is illegal to kill anyone in any manner - the crime is murder. It is irrelevant if you do it with a car, a bomb, or a spoon - you're still a murderer, and you get charged with the crime of murder.

It is very simple.

knbgnu wrote:

Except he was authorized to take every single document he obtained. He was not authorized to take them in the manner he did under the ToS, though, and probably broke MIT's AUP. It's questionable to enforce those in a civil case, let alone a criminal one.

Its really irrelevant. The crime, again, was unauthorized access - he was banned from MIT, and circumvented said bans. That he could have accessed the data from Harvard is irrelevant to the case.

Quote:

Except that people already do that. They do otherwise illegal things by exploiting technicalities. That's why every couple of years, there will be a new law regarding stocks, the financial industry, or such. Our tax code is riddled with such things, and the financial costs of that in a year likely far exceed the entire value of JSTOR altogether. A law is either going to allow somebody guilty of wrongdoing and/or harm to walk free, or allow somebody innocent to be prosecuted. The question is whether we should err in making the laws too narrow or too broad, and the principles of our justice system say that we should go with narrow. Better to let a hundred guilty men go than one convict on innocent person, Ideally, prosecutors could be trusted with discretion in their use of a large amount of power, so that those working the system can get caught while nobody who should be considered innocent is facing an unreasonable sentence. However, we have parties like Ortiz that abuse that power, and THAT is why we can't have nice things and must, for the good of society, open up a few holes.

The funny thing is, you're actually (mostly) wrong.

The way that most of these loopholes work is that they are actually written into the law to protect legitimate activity. A good example is self defense, which is an exception to murder - if you kill someone who is attempting to use deadly force against someone else, then you are not guilty of any crime. However, it is possible for people to plea self defense even when they were not in fact so threatened, and get away with murder. Note that if someone punches you in the arm, and you pull a gun on them and shoot them, you can be convicted of murder (though you'd probably be convicted of manslaughter, unless you were intentionally trying to provoke them or had assaulted them yourself) - the exception is specific to someone threatening you with deadly force. Note that it does not matter if they don't intend to kill you - if they pull a knife on you, you can shoot them (assuming they're close enough to be a threat - someone a hundred feet away probably wouldn't qualify).

Most tax loopholes and financial loopholes are similar - they exist as exceptions to the broader rule to allow specific legitimate activities, which then get twisted. Most of the overseas tax loopholes, for instance, exist to make it so if you do business in another country you dont' get taxed twice. Then they make it more and more specific.

iniudan wrote:

That because your trying to make law for the method and not the act.

The law is already about the act of unauthorized access and wire fraud; it does't care about how you do it.

There are people who claim otherwise. These people are all liars.

Quote:

That because your combining the act of guilt with a sentence, law and sentencing should be separated entity.

You don't understand how law works at all.

Self-defense means you didn't commit a crime. Murder is killing someone else without just cause. Soldiers fighting enemy combatants and people acting in self defense (which includes the defense of others) are not murderers. Self defense is a criminal defense against a charge of murder.

Please educate yourself on the law.

And sentencing IS done after you're convicted. Each law falls under certain sets of guidelines under the federal sentencing laws, as well as has a specific rule that is the maximum sentenced attached to that particular crime. So you get convicted of murder (if you were acting in self defense, then you wouldn't be convicted because you're not a murderer) and then it goes onto the next step of the trial which is determining sentencing (which there are guidelines for based on the severity of the crime - for cases where you cause property damage, for instance, the amount of property damage varies your sentence, which is why he would have gotten no more than a couple years in jail if convicted, barring him showing signs that he would do it again).

Laws should be written generally.

And in reality, you cannot accidentally commit a felony. He WILLFULLY bypassed the bans.

The only "accidental" felonies you can commit are crimes you commit while doing other crimes - for instance, if you discharge a firearm recklessly, and kill someone accidentally, you are guilty of criminally negligent manslaughter. If you threatened someone with a knife, and they had a heart attack, but had no knowledge of the fact that they had a weak heart, you could be guilty of constructive manslaughter. If the action you commited wasn't illegal in the first place (You popped out and shouted boo! at them and they dropped dead) you wouldn't be guilty of anything at all, though in some cases that might change based on the situation (for instance, shouting Boo! at someone to startle them while they are doing something dangerous, like handling explosives, would be criminally negligent manslaughter (though it would actually be due to recklessness, not negligence).

You can't just accidentally commit a felony. And in this case, he knew that what he was doing could get him in serious trouble, which is why he went to MIT to do it rather than doing it at Harvard, and why he hid his face with a bicycle helmet.

The law needs to make it clear that any 'technical measures' that could be 'bypassed' by using a different computer should not count.

This includes MAC address and IP address changes.

This would also include cookie based protection and anything else that ties itself to a particular piece of hardware or software.

When you create a new virtual machine, it will get a new MAC address, which will be given a different IP address, and will not retain any cookies that were set.

Given the widespread vulnerabilities in browsers, it can be a very good practice to have a VM image that you never use, but instead copy (creating a new virtual machine) and use that copy, deleting the copy after each session.

As a practical matter, saying that it's illegal to change your MAC address just means that anyone who can afford to spend more on hardware changes their MAC address by using a different piece of hardware instead of changing it in software.

The law needs to make it clear that any 'technical measures' that could be 'bypassed' by using a different computer should not count.

This includes MAC address and IP address changes.

This would also include cookie based protection and anything else that ties itself to a particular piece of hardware or software.

When you create a new virtual machine, it will get a new MAC address, which will be given a different IP address, and will not retain any cookies that were set.

Given the widespread vulnerabilities in browsers, it can be a very good practice to have a VM image that you never use, but instead copy (creating a new virtual machine) and use that copy, deleting the copy after each session.

As a practical matter, saying that it's illegal to change your MAC address just means that anyone who can afford to spend more on hardware changes their MAC address by using a different piece of hardware instead of changing it in software.

Please stop spouting nonsense. The people who are arguing that it is illegal to change your IP or MAC address are crazy.

You cannot accidentally commit unauthorized access. You have to have willful intent to bypass a security system. If they banned your IP, but your IP naturally changed, then you aren't guilty of unauthorized access unless you specifically did something to change your IP with the purpose of evading the ban, or knew you were banned and then waited for your IP to change naturally so you could access the system again.

Its the difference between reckless endangerment and driving a car. Driving a car isn't illegal, but racing on the streets of San Francisco at 2 in the afternoon is. In both cases you're just driving a car, but in the latter case you're committing a crime by doing so. But driving a car is not illegal.

Using a different computer to bypass security SHOULD remain illegal, because the crime is bypassing security.

how would you know if your MAC address is blocked or if there is some other glitch?

If security can be bypassed by such a simple measure as using a different computer, then it's not really security, at most it's security theater.

if you replace a bank vault door with a piece of unlabeled curtain against the wall, you do not get to claim that someone walking through the curtain are safecrackers because they have 'violated the security of the safe by entering it'

If you want to charge someone for breaking security, you have to actually have security in place to start with.

My day job for the last 16 years has been computer security (defending banks), I'm not just some 'data wants to be free' wild-eyeed kid.

I don't gree with breaking into systems, but to break into something, there has to be a 'lock' to break.

In Aaron's case, there was no lock, there was open registration for anyone within range (yes it asked for your name, but it didn't check that name in any way), and there were no passwords or anything else to break.

having a system disconnected from wireless doesn't mean that it's now not authorized to use the network at all, it's very frequently just that you used too much bandwith and for fairness you are being bumped off. Nothing ever told Aaron that he was now not authorized to use the network at all, so getting back on the network was not 'breaking in'

how would you know if your MAC address is blocked or if there is some other glitch?

Asking.

Its utterly irrelevant to this case though; there is no doubt that he did what he was doing in order to ban evade, and knew he was doing it. JSTOR got shut down as a result of his actions for several days on MIT's campus.

Quote:

If security can be bypassed by such a simple measure as using a different computer, then it's not really security, at most it's security theater.

if you replace a bank vault door with a piece of unlabeled curtain against the wall, you do not get to claim that someone walking through the curtain are safecrackers because they have 'violated the security of the safe by entering it'

And here we go. Special pleading ahoy!

Guess what? That lock on your front door? Useless. I can easily break into any secured building which doesn't have a security guard posted. Do you have windows? I can get in that way. Do you have a key hidden anywhere? I can get in that way. Do you always lock every door? I can easily get in that way. And many locks are rather easy to pick if you know what you're doing.

Its STILL burglary to enter someone's house with criminal intent even if the front door is unlocked. Even if the door was -open-.

A lock on your front door is bad security. Heck, a closed door is a bad form of security.

Quote:

If you want to charge someone for breaking security, you have to actually have security in place to start with.

They had security. IP and MAC address bans are security. They are not GOOD security, but the network is meant to be an open one, which means that it isn't very secure.

This is like claiming you didn't trespass because they had an open window, and therefore you were pretty much invited inside, despite the front door being locked. Or that the back door was unlocked.

Quote:

My day job for the last 16 years has been computer security (defending banks), I'm not just some 'data wants to be free' wild-eyeed kid.

And yet you are not aware of the basics of the law that have to do with your profession.

Remind me never to hire you.

Quote:

I don't gree with breaking into systems, but to break into something, there has to be a 'lock' to break.

In Aaron's case, there was no lock, there was open registration for anyone within range (yes it asked for your name, but it didn't check that name in any way), and there were no passwords or anything else to break.

It checked their IP and MAC addresses against a banned list, and if you were on the banned list, you weren't allowed on the network. That IS a form of security. Much like a store can ban someone from their store; your front door is still open for other people, but it isn't open for YOU.

Quote:

having a system disconnected from wireless doesn't mean that it's now not authorized to use the network at all, it's very frequently just that you used too much bandwith and for fairness you are being bumped off. Nothing ever told Aaron that he was now not authorized to use the network at all, so getting back on the network was not 'breaking in'

Being IP and MAC address banned from a network is a pretty strong sign you are not allowed in in and of itself. Had he believed he was a legitimate user acting in good faith, he could have gone and asked for help. Instead, he deliberately and repeatedly bypassed bans, even after JSTOR access was shut down for the entire campus as a result of the attacks. In the end he put his computer in a supply closet and kept changing the IP/MAC to ban evade.

Your post is pure propaganda and entirely fabrication. What sort of person would hire a security consultant who lied to defend someone who broke into networks?

I sure wouldn't. That implies a very low level of integrity on their part.